b'Audit Report\n\n\n\n\nOIG-14-025\n\nManagement Letter for the Audit of the Office of the Comptroller\nof the Currency\xe2\x80\x99s Fiscal Years 2013 and 2012 Financial\nStatements\n\nFebruary 4, 2014\n\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0c                                     DEPARTMENT OF THE TREASURY\n                                           W ASHINGTON, D.C. 20220\n\n\n\n\n     OFFICE OF\nINSPECTOR GENERAL\n                                             February 4, 2014\n\n\n            MEMORANDUM FOR THOMAS J. CURRY\n                           COMPTROLLER OF THE CURRENCY\n\n            FROM:                  Michael Fitzgerald\n                                   Director, Financial Audit\n\n            SUBJECT:               Management Letter for the Audit of the Office of the\n                                   Comptroller of the Currency\xe2\x80\x99s Fiscal Years 2013 and 2012\n                                   Financial Statements\n\n\n            I am pleased to transmit the attached management letter in connection with the\n            audit of the Office of the Comptroller of the Currency (OCC) financial statements\n            for fiscal years 2013 and 2012. Under a contract monitored by the Office of\n            Inspector General, Williams, Adley & Company-DC, LLP (Williams Adley) an\n            independent certified public accounting firm (IPA), performed an audit of the OCC\xe2\x80\x99s\n            financial statements as of September 30, 2013 and for the year then ended.\n            Another IPA audited the OCC\xe2\x80\x99s financial statements as of September 30, 2012 and\n            for the year then ended and expressed an unmodified opinion on those financial\n            statements. The contract required that the audit be performed in accordance with\n            generally accepted government auditing standards and applicable provisions of\n            Office of Management and Budget Bulletin No. 14-02, Audit Requirements for\n            Federal Financial Statements.\n\n            As part of its audit, Williams Adley issued, and is responsible for, the\n            accompanying management letter that discusses certain matters involving internal\n            control over financial reporting that were identified during the audit, but were not\n            required to be included in the auditors\xe2\x80\x99 reports.\n\n            In connection with the contract, we reviewed Williams Adley\xe2\x80\x99s letter and related\n            documentation and inquired of its representatives. Our review disclosed no\n            instances where Williams Adley did not comply, in all material respects, with\n            generally accepted government auditing standards.\n\n            Should you have any questions, please contact me at (202) 927-5789 or a member\n            of your staff may contact Ade Bankole, Manager, Financial Audit at\n            (202) 927-5329.\n\n            Attachment\n\x0c                                                MANAGEMENT LETTER\n\n\nComptroller of the Currency\nOffice of the Comptroller of the Currency\n\nInspector General\nDepartment of the Treasury\n\nWe have audited the balance sheet as of September 30, 2013, and the related statements of net cost,\nchanges in net position, and budgetary resources for the year then ended, hereinafter referred to as\n"financial statements", of the Office of the Comptroller of the Currency (OCC) and have issued an\nunmodified opinion thereon dated November 20, 2013. The financial statements of OCC as of\nSeptember 30, 2012 were audited by other auditors who issued an unmodified opinion dated October\n31, 2012.\n\nIn planning and performing our audit of the financial statements of the OCC, we considered its internal\ncontrol over financial reporting in order to determine our auditing procedures for the purpose of\nexpressing our opinion on the financial statements and not to provide assurance on internal control. We\nhave not considered the internal control since the date of our report.\n\nIn our fiscal year 2013 audit, we did not identify any deficiencies in internal control over financial\nreporting that we consider to be material weaknesses. Although not considered to be material\nweaknesses or significant deficiencies, we noted certain matters involving internal control over\ninformation technology operations and the financial institution assessment process that are presented\nin Appendix I to this letter for your consideration. These comments and recommendations, all of which\nhave been discussed with the appropriate members of OCC management, are intended to improve\ninternal control. Also, we noted one management letter comment that is carried over from the prior\nyear, as discussed in Appendix II. Additionally, we have provided the status of all prior year\nmanagement letter comments in the same appendix.\n\nWe appreciate the cooperation and courtesies extended to us during the conduct of the audit. We will\nbe pleased to meet with you or your staff, at your convenience, to discuss issues in this letter or furnish\nany additional information you may require.\n\n\n\n\nWashington, D.C.\nNovember 20, 2013\n\n\n                                          WILLIAMS, ADLEY & COMPANY-DC, LLP\n                                      Certified Public Accountants / Management Consultants\n               1030 15th Street, NW, Suite 350 West \xe2\x80\xa2 Washington, DC 20005 \xe2\x80\xa2 (202) 371-1397 \xe2\x80\xa2 Fax: (202) 371-9161\n                                                       www.williamsadley.com\n\x0c                                                                                       Appendix I\n                                                                             Current Year Findings\n\n\nInformation Technology Operations\n\nAlthough the OCC performed weekly scans, had a process of identifying vulnerabilities within the\ninformation systems, and developed configuration baseline requirements, weaknesses continued to\nexist in the financial system. OCC had identified certain vulnerabilities during its routine scans but\nconsidered them as low to moderate risks. Since only high risk vulnerabilities are addressed as part of\nthe Plan of Actions and Milestones (POA&M) process, OCC did not address these identified\nvulnerabilities.\n\nThe OCC Master Security Control Catalog (MSCC) Risk Assessment Section, Control RA-5 states: \xe2\x80\x9cThe\nOCC remediates legitimate vulnerabilities as specified in associated POA&Ms or corrective actions plans\nin accordance with an organizational assessment of risk.\xe2\x80\x9d However, the MSCC catalog does not specify\nwhat type/level of risk is a legitimate vulnerability and how each category of risk is to be addressed.\n\nAlso, for one vulnerability identified, the software vendor confirmed that a conflict exists between the\napplication and the scanning tool which the vendor states the current setting is necessary as a security\nfeature.\n\nSystem weaknesses increase the potential for unauthorized activities to occur without being detected\nthus leading to potential theft, destruction, and misuse of agency data both from internal and external\nthreats.\n\nRecommendations: We recommend that OCC Security & Compliance Services (SCS):\n\n1.   Update the MSCC procedures to:\n       a. Define the risk level associated with a legitimate vulnerability, and\n       b. Address the handling of identified low to moderate risks vulnerabilities.\n\n2. Remediate the identified vulnerabilities.\n\nManagement Response:\n\nThe OCC concurs with recommendation #1 and stated that they will update its policy to better define\nrisk levels and legitimate vulnerabilities. The OCC stated that they will also update its procedures to\nprovide direction on evaluating and remediating low and moderate vulnerabilities based on a risk\nassessment. The OCC estimates completing the corrective actions for this recommendation by January\n31, 2014.\n\nOCC stated that they had remediated all the vulnerabilities identified by the auditor related to that\nrecommendation prior to completion of the audit.\n\nAuditor Analysis:\n\nBased on management\xe2\x80\x99s response, we determined that the proposed approach is sufficient to close the\nrecommendations if properly implemented.\n\n\n\n                                                   2\n\x0c                                                                                        Appendix I\n                                                                              Current Year Findings\n\nOCC\'s response has not been subjected to the auditing procedures applied in the audit of the financial\nstatements and accordingly, we express no opinion on it.\n\nUnderassessment of Financial Institutions\n\nFrom March 2009 through March 2013, five financial institutions were under-assessed by a total of\n$4,886,926. In September 2013, six financial institutions (including the five mentioned above) were\nunder-assessed by a total of $863,885. During the periods mentioned above, the financial institutions\nwere assessed as commercial banks instead of independent trust banks. Independent trust banks are\nassessed a surcharge above the commercial bank assessment.\n\nThe Licensing Department (within the Office of Chief Counsel) is in charge of providing Financial\nManagement (FM) with the list of banks and each bank\xe2\x80\x99s assessment category (i.e. commercial bank,\ncredit card bank, and/or independent trust bank). Each bank is categorized based on the type of assets\nthey hold. In order for a financial institution to qualify as a commercial bank, a bank\xe2\x80\x99s assets must be\nless than 50% trusts. If the bank\xe2\x80\x99s assets exceed 50% trusts, the bank is classified as an Independent\nTrust Bank and is therefore subject to a surcharge.\n\nThe under-assessed banks were comprised of less than 50% assets in trust when originally evaluated,\nhowever in subsequent assessments periods the trust asset percentage crossed the 50% threshold.\nSince, the Licensing Department did not regularly re-evaluate bank classifications, the commercial bank\ndesignation was not revised accordingly.\n\n\nGAO\xe2\x80\x99s Standards for Internal Control in the Federal Government states that:\n\n        \xe2\x80\x9cControl activities are an integral part of an entity\xe2\x80\x99s planning, implementing, reviewing, and\n        accountability for stewardship of government resources and achieving effective results. They\n        include a wide range of diverse activities such as approvals, authorizations, verifications,\n        reconciliations, performance reviews, and the creation and maintenance of related records\n        which provide evidence of execution of these activities as well as appropriate documentation.\xe2\x80\x9d\n\n        \xe2\x80\x9cTransactions should be promptly recorded to maintain their relevance and value to\n        management in controlling operations and making decisions. This applies to the entire process\n        or life cycle of a transaction or event from the initiation and authorization through its final\n        classification in summary records. In addition, control activities help to ensure that all\n        transactions are completely and accurately recorded. Internal control and all transactions and\n        other significant events need to be clearly documented, and the documentation should be\n        readily available for examination.\xe2\x80\x9d\n\nUnder-assessment of financial institutions occurred because OCC does not have policies and procedures\nfor periodically reevaluating banks to determine whether their current categorization and thus the\nassessment is appropriate.\n\nIn October 2013, the Comptroller of the Currency decided to waive the assessment and collection of the\n$4,886,296. The September 2013 under-assessment was collected in October 2013 and was\n\n\n\n                                                   3\n\x0c                                                                                       Appendix I\n                                                                             Current Year Findings\n\nappropriately included in the FY13 financial statements. Due to this error, assessment fees amounting to\n$4,886,926 were not collected that could have been used to fund OCC\xe2\x80\x99s operations.\n\nRecommendation:\n\nWe recommend that OCC develop policies and procedures for determining assessment fees including an\nannual re-evaluation of banks to confirm or correct their classifications.\n\nManagement Response:\n\nThe OCC concurs with this recommendation. They stated that they have already established a cross-\ndisciplinary team with experts to develop a streamlined process for determining assessment fees and\nvalidating the bank assessment classification. Financial Management (FM) will develop the policies and\nprocedures documenting the process. In addition, FM\'s Internal Controls team will test the new process\nto determine if controls are working as designed. The estimated completion date for the streamlined\nprocess is March 31, 2014 and the estimated completion date for the policies and procedures is April 30,\n2014.\n\nAuditor Analysis:\n\nBased on management\xe2\x80\x99s response, we determined that the proposed approach is sufficient to close the\nrecommendation if properly implemented.\n\nOCC\'s response has not been subjected to the auditing procedures applied in the audit of the financial\nstatements and accordingly, we express no opinion on it.\n\n\n\n\n                                                   4\n\x0c                                                                                       APPENDIX II\n                                                                       Status of Prior Year Findings\n\nThe following is the status of the remediation of weaknesses noted during the Fiscal Year 2012 audit.\nFor the purposes of this letter, we included only a summarized version of each issue and the\nrecommendations made.\n\n12-06 OCC Needs To Strengthen Its Contingency Planning Controls (Repeat Condition)\n\nThere were weaknesses in OCC\'s contingency planning controls. Specifically, (1) an executable disaster\nrecovery strategy solution did not exist for a general support system (GSS), (2) the contingency plan for\nthis GSS did not contain detailed procedures for recovering the system in a disaster situation or detailed\nprocedures for reconstituting the system after a disaster, (3) the contingency plan for an application did\nnot contain detailed procedures for recovering that application in a disaster situation or detailed\nprocedures for reconstituting the application after a disaster, and (4) the contingency plans for the\napplication and the GSS included several links to documents stored on the organizations share site. This\nincreases the risk that the referenced documents may not be accessible during a disruption that impacts\nthe network.\n\nRecommendations: OCC management should:\n18. Continue with its existing corrective action to develop an executable recovery strategy for its\n    network. Once a strategy is developed, it should be tested to ensure that it can be executed\n19. Update the Business Impact Assessments for the general support system to establish a RPO for the\n    system.\n20. Update the system Contingency Plan to incorporate detailed recovery and reconstitution procedures\n21. Update the system Contingency Plan to incorporate all necessary documents stored on the share\n    site needed to facilitate system recovery.\n22. Update the Business Impact Assessments for the application to establish a RPO for the system.\n23. Update the application Contingency Plan to incorporate detailed recovery and reconstitution\n    procedures.\n24. Update the application Contingency Plan to incorporate all necessary documents stored on the\n    share site needed to facilitate system recovery.\n\nStatus: Partially Closed. OCC addressed the prior year recommendations 22, 23, and 24, which included\nupdating the contingency plan and the Business Impact Assessments for the application. However,\nweaknesses continue in OCC\xe2\x80\x99s general support system contingency planning controls. As a result,\nrecommendations numbers 18, 19, 20, and 21 remain open.\n\nManagement Response:\n\nThe OCC concurs with these recommendations. The OCC stated that they are continuing to improve\nOCC\'s ability to recover the network general support system through their enterprise disaster recovery\nmodernization initiative. They stated that the OCC\'s Technology Solutions Subcommittee approved this\ninitiative on July 30, 2013 and that Information Technology Services developed a multi-year project plan\nto support modernizing OCC\'s disaster recovery capability that is contingent on allocation of necessary\nfunding in future periods. OCC stated that management approved the plan and provided the auditors a\ncopy during the audit. Further, the OCC estimates corrective actions will be completed no later than\nSeptember 30, 2016 for recommendation 18; July 30, 2014 for recommendation 20; August 30, 2014 for\nrecommendation 21; and January 31, 2014 for recommendation 19.\n\n\n\n                                                    5\n\x0c                                                                                       APPENDIX II\n                                                                       Status of Prior Year Findings\n\nAuditor Analysis:\n\nBased on management\xe2\x80\x99s response, we determined that the proposed approach is sufficient to close the\nrecommendations if properly implemented.\n\n\n\n Prior Year Findings                                      Current Year Status\n\n          OCC should ensure that its Information\n 12-01    System Security Plans (SSP) are consistent      This finding has been closed.\n          with Federal requirements\n          OCC should strengthen its role based\n 12-02                                                    This finding has been closed.\n          training controls\n          OCC should ensure that appropriate\n 12-03    agreements are in place to ensure that data     This finding has been closed.\n          is adequately protected\n          OCC needs to strengthen its identification\n 12-04                                                    This finding has been closed.\n          and authentication controls\n          OCC needs to strengthen its account\n 12-05                                                    This finding has been closed.\n          management controls\n          OCC needs to strengthen its contingency         Partially Closed. See repeat condition\n 12-06\n          planning controls (Repeat Condition)            above.\n          OCC should test the offsite disaster\n 12-07    recovery backup tapes on a semi-annual          This finding has been closed.\n          basis\n          OCC should update its virus definition to the\n 12-08                                                    This finding has been closed.\n          current version\n          OCC needs to strengthen its controls for\n 12-09                                                    This finding has been closed.\n          configuring information systems\n          OCC should maintain current patches and\n 12-10    remove unnecessary services from                This finding has been closed.\n          application servers\n          OCC needs to strengthen its configuration\n 12-11                                                    This finding has been closed.\n          management controls\n\n\nOCC\'s response has not been subjected to the auditing procedures applied in the audit of the financial\nstatements and accordingly, we express no opinion on it.\n\n\n\n\n                                                    6\n\x0c'